LimeSurvey Community 5.3.32 - Stored XSS

Exploit Author: Subhankar Singh Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2024-03-25 
# Exploit Title: Stored Cross-Site Scripting (XSS) in LimeSurvey Community
Edition Version 5.3.32+220817
# Exploit Author: Subhankar Singh
# Date: 2024-02-03
# Vendor: LimeSurvey
# Software Link: https://community.limesurvey.org/releases/
# Version: LimeSurvey Community Edition Version 5.3.32+220817
# Tested on: Windows (Client)
# CVE: CVE-2024-24506

## Description:

A critical security vulnerability exists in LimeSurvey Community Edition
Version 5.3.32+220817, particularly in the "General Setting"
functionality's "Administrator email address:" field. This allows an
attacker to compromise the super-admin account, leading to potential theft
of cookies and session tokens.

## Background:

Cross-site scripting (XSS) is a common web security vulnerability that
compromises user interactions with a vulnerable application. Stored XSS
occurs when user input is stored in the application and executed whenever a
user triggers or visits the page.

## Issue:

LimeSurvey fails to properly validate user-supplied input on both client
and server sides, despite some protective measures. The "Administrator
email address:" field within the "General Setting" functionality permits
the insertion of special characters, enabling the injection of malicious
JavaScript payloads. These payloads are stored in the database and executed
when the user saves or reloads the page.

## Steps To Reproduce:

1. Log into the LimeSurvey application.
2. Navigate to the general settings.
3. Insert the following JavaScript payload in the "Administrator email
address:" field:
Payload: `abcxyz@gmail.com"><u>s</u><svg
onload=confirm(document.domain)>`

## Expected Result:

The LimeSurvey application should display an alert with the domain after
clicking save and reloading the page.

## Actual Result:

The LimeSurvey application is vulnerable to Stored Cross-Site Scripting, as
evidenced by the successful execution of the injected payload.

## Proof of Concept:

Attached Screenshots for the reference.


Overview

LimeSurvey Community Edition (CE) 5.3.32 (build +220817) was reported to contain a stored cross-site scripting (XSS) vulnerability affecting the application’s general settings functionality. The issue is tracked as CVE-2024-24506. Stored XSS allows malicious script supplied by an attacker to be persisted on the server and executed in the browser of an administrative user who views the affected page.

Vulnerability summary

Product LimeSurvey Community Edition
Versions affected 5.3.32+220817 (reported)
CVE CVE-2024-24506
Type Stored Cross-Site Scripting (XSS)
Impact Execution of attacker-supplied script in admin context — theft of cookies, session tokens, or other admin actions via the browser

What stored XSS is and why it matters

Cross-site scripting is a client-side code injection vulnerability. Stored XSS occurs when data supplied by a user is saved on the server (database or configuration) and later rendered into pages without proper encoding or sanitization. When that stored content is shown in an administrator interface, successful exploitation can lead to account compromise, token theft, or administrative actions performed by the attacker.

Root cause and high-level mechanics

  • Improper handling of user-supplied data in a server-side field used by the application UI — the application stored the raw input and later rendered it without sufficient output encoding.
  • Client-side validation alone is insufficient; server-side validation/encoding must be applied. In this case the server-side checks failed to block crafted input that resulted in executable HTML/JavaScript being stored.
  • The vulnerable field was part of global or administrative settings, meaning values are viewed by high-privilege users (super-admin), increasing potential impact.

Impact and risk scenarios

  • Administrative account takeover or session theft for users who view the affected settings page.
  • Unauthorized administrative actions performed via the browser of a logged-in admin.
  • Potential lateral escalation within an organization if the admin uses the same browser/session for other systems.

Safe detection and validation (do not exploit)

When assessing whether a system is vulnerable, follow safe, non-destructive testing practices. Do not inject malicious payloads into production. Instead:

  • Verify the server is running an affected version by checking application version pages or release notes.
  • Review stored configuration fields in the database for suspicious or unexpected HTML tags or script fragments and validate that expected input formats (email, URL, plain text) are enforced.
  • Use automated scanners in a staging environment to identify unencoded output in pages rendered for administrators.
  • Perform code review of the rendering templates and server-side validation logic to ensure output encoding is applied consistently.

Mitigation and remediation

Remediation should be performed at multiple layers: patching, configuration, and coding practice.

  • Patch: Upgrade to the vendor-released fix or the latest LimeSurvey CE version that contains the patch for CVE-2024-24506. This is the highest priority action.
  • Configuration: Limit access to administration interfaces (IP allowlists, VPN only). Require multi-factor authentication for administrative accounts.
  • Operational: Rotate admin sessions and cookies after remediation, reset administrator passwords if compromise is suspected, and review audit logs.
  • Application-level: Ensure server-side validation and output encoding for all user-supplied content, especially fields that appear in admin UIs.

Recommended short-term controls

  • Restrict who can reach the admin panel (network controls, web application firewall rules).
  • Enable HTTPOnly and SameSite cookies where applicable to make client-side theft harder.
  • Apply a Content-Security-Policy (CSP) to reduce the impact of injected scripts.

Secure coding examples (safe, defensive)

Below are safe examples showing input validation, server-side sanitization, and output encoding in PHP. These focus on avoiding stored XSS and do not include exploit payloads.

// Example: server-side validation and storage (PHP)
$email = $_POST['admin_email'] ?? '';
// Basic validation using PHP's filter
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    throw new Exception('Invalid email address');
}
// Enforce maximum length
if (mb_strlen($email, 'UTF-8') > 254) {
    throw new Exception('Email is too long');
}
// Store the validated value
// Use parameterized queries to avoid injection into SQL
$stmt = $pdo->prepare('UPDATE settings SET admin_email = :email WHERE id = 1');
$stmt->execute(['email' => $email]);

Explanation: This snippet validates that the input is a syntactically valid email using filter_var and rejects invalid values. It also enforces a reasonable maximum length for the field. Only validated data is persisted. Use parameterized queries to avoid SQL injection when writing to the database.

// Example: safe output encoding before rendering (PHP)
$admin_email = $settings['admin_email'] ?? '';
// Encode for HTML context
echo htmlspecialchars($admin_email, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');

Explanation: htmlspecialchars transforms characters that have special meaning in HTML into safe entity sequences (e.g., <, >, &, quotes). Always encode untrusted data at the point of output according to the context (HTML body, attribute, JavaScript, URL).

// Example: Content Security Policy header (set on server)
header("Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none';");

Explanation: A strict CSP reduces the impact of injected scripts by restricting sources from which scripts can be executed. It is a defense-in-depth control and should be tuned to your application’s legitimate needs.

Framework-specific recommendations

  • Use the platform/framework built-in validators and escaping helpers. For example, when using Yii or similar PHP frameworks, prefer Html::encode() or equivalent methods for output encoding.
  • Apply validators at the model level (e.g., email validators with strict rules) and encode at the view layer.
  • Avoid trusting client-side validation; always revalidate and encode on the server before storage and again on output.

Operational recovery steps after a confirmed incident

  • Patch or upgrade the application immediately.
  • Invalidate active sessions and force all administrators to re-authenticate.
  • Rotate secrets used in integrations and check for suspicious API activity or administrative actions in logs.
  • Audit the application database for unexpected stored content in configuration or text fields and remove or sanitize suspicious entries in a controlled manner.
  • Notify affected stakeholders and follow local incident response procedures.

Responsible disclosure and CVE reference

This vulnerability is catalogued as CVE-2024-24506. If you discover further issues, follow responsible disclosure: report to the vendor (LimeSurvey) via their security contact channels and avoid publishing exploit details publicly until a patch is available and deployed.

References and further reading

  • LimeSurvey community releases and advisories: https://community.limesurvey.org/releases/
  • OWASP XSS Prevention Cheat Sheet — guidance for proper encoding and sanitization.
  • Content Security Policy (CSP) best practices — for mitigating impact of client-side injection.